Category Archives: Security

[Policy Template] Should Failing Phishing Tests Be a Fireable Offense?

Thanks to KnowBe4 for this great policy tip!

Firing employees for failing phishing tests can be extremely counterproductive and can damage an organization’s overall security posture. That, at any rate, is what two security experts told Brian Krebs recently, and we agree with them.

Companies sometimes think punitive policies will make employees take phishing more seriously, but these policies actually discourage cooperation and openness. It is much more productive to reward desired behavior.

John LaCour, founder and CTO of PhishLabs, told Krebs that punishment isn’t an effective response to failed phishing tests because it makes employees feel they’ve been manipulated.

“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” LaCour said. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”

Punishing Employees Has Negative Security Repercussions

In addition to creating an unhealthy work environment, punishing employees for failing phishing tests will have negative repercussions for your organization’s security. When an employee does fall for a phishing email, whether real or simulated, the most important thing they can do is report the incident so that the attack can be mitigated. Rohyt Belani, CEO of Cofense, said that organizations should have training programs that encourage employees to report failed phishing tests.

“So what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, ‘Oops, I shouldn’t have clicked, let me report it anyway’,” Belani told Krebs. “But if that person knew there was a punitive angle to doing so, they’re more likely not to report it and to say, ‘You know what, I didn’t do it. Where’s the proof I clicked on the link?’”

LaCour says that positive reinforcement and recognition is a key element in improving employees’ phishing resistance. He said that posting the scores for each department’s phishing tests can make employees take the tests seriously and improve cooperation. He added that small rewards and lighthearted penalties, like having the lowest-scoring department buy lunch for everyone, can also help by making it feel like a good-natured competition.

An organization’s employees are its most important assets, and they need to be treated fairly and with respect. However, employees that are chronically click- happy become an active liability for your network security. New-school security awareness training can build a culture of security within your organization by providing education programs that are effective and make your employees feel valued.

Part of that fair treatment is a published security policy—which hundreds of organizations use today—to create a clean, clear, level playing field with known consequences for repeated click behavior. Here is a “find/replace” Policy Template Doc that you can use for your own organization:
https://blog.knowbe4.com/policy-template-should-failing-phishing-tests-be-a-fireable-offense

Share this

Using Multiple Cloud Apps? Secure all your data with Cloud App Security

General Networks can help you secure multiple cloud apps with Microsoft Cloud App Security! 

Check out this video

Microsoft Cloud App Security is a Cloud Access Security Broker (CASB), powered by a unique approach to deliver state-of-the-art security for multi-cloud environments, via native integrations. It is designed with security professionals in mind – providing simplicity of deployment, centralized management, and innovative automation capabilities.

Contact us at tssales@gennet.com

Share this

INFO: Five steps to secure your identity infrastructure in Azure Active Directory

by kurtsh

This document will help you get a more secure posture using the capabilities of Azure Active Directory by using a five-step checklist to inoculate your organization against cyber-attacks.

This checklist will help you quickly deploy critical recommended actions to protect your organization immediately by explaining how to:

·         Strengthen your credentials.

·         Reduce your attack surface area.

·         Automate threat response.

·         Increase your awareness of auditing and monitoring.

·         Enable more predictable and complete end-user security with self-help.

https://docs.microsoft.com/en-us/azure/security/azure-ad-secure-steps

Share this

How to Spot Phishing Messages Like a Pro

Update to STAY SAFE FROM PHISHING. 5 Ways to Stay Safe

June 2018 Volume 13 Issue 06

From the desk of Thomas F. Duffy, MS-ISAC Chair

The Federal Trade Commission’s definition of phishing is “when a scammer uses fraudulent emails or texts, or copycat websites, to get you to share valuable personal information.”[1] When a user falls for a phishing message, the malicious actor achieves their purpose of getting the victim to hand over sensitive information such as login names and passwords. Though we count on technologies and controls to minimize threats, phishing exploits users through social engineering, which allows the malicious actors to side step these protections. This is why it is important that everyone learn to spot these fraudulent messages. Let’s take a look at some example emails of phishing messages.

Message #1

Subject: Low Cost Dream Vacation loans!!!

Dear John,

We understand that money can be tight and you may not be able to afford to go on vacation this year.   However, we have a solution. My company, World Bank and Trust is willing to offer low cost loans to get your through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account.

Please email your completed form to VacationLoans@worldbankandtrust.com.

Your dream vacation is just a few clicks away!

Dr. Stephen Strange

World Bank and Trust

177a Bleecker Street, New York, NY10012

What did you notice in message #1? 

In this message, you can see that the phisher wants to give us a low-cost loan with no credit check. They say we just need to send them our information and they will give us money, right? Not only does it seem too good to be true, but also when you hover the cursor over the email address to examine it further, you see that the link actually has a different destination. It is the email address of the attacker. Lastly, as much as you might like Dr. Strange, he’s probably not working for a bank part-time.

Message #2

Subject: Free Amazon Gift Card!!!

Dear Sally,

You name has been randomly selected to win a $1000 Amozan gift card. In order to collect your prize, you need to log in with your Amazon account at the link below and update your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days.  Failure to respond will forfeit your prize and we will select another winner.

www.amozan.com/giftredemption2321

What did you notice in message #2? 

Aside from this seeming too good to be true, you can see that “Amazon” is misspelled as “Amozan” on the link provided. If you read this quickly, you may think you are responding to the real company to get your gift certificate. In reality, you are providing your information to the attacker. For the purposes of this example, the link actually navigates to the Center for Internet Security, which is a trustworthy site.

Message #3

Subject: Urgent – Take Action Before Your Email Account is Deactivated

Dear User,

Following changes to our Microsoft email systems, each user must authenticate their account to prevent it from being deactivated. You can accomplish this by heading to the link below and entering your Microsoft Outlook email account credentials, and then we will know your account is active and should remain so.

https://www.microsoft.com/

Thank you,

Information Technology

Helpdesk Support Team

What did you notice in message #3?

This email is fairly well crafted without errors. Note that it establishes a sense of urgency that the malicious actor hopes will cloud your judgment and threatens the deactivation of your email account. Additionally, the link at the bottom looks like a link to Microsoft, yet it is, in fact, heading somewhere else! Luckily, for the purposes of this example, that link simply leads to the Center for Internet Security, which is a legitimate site.

With these three examples considered, here are some basic recommendations to help protect you from becoming a phishing victim:

  • If it seems too good to be true, it probably is;
  • Hover your cursor over links in messages to find where the link is actually going;
  • Look for misspellings and poor grammar, which can be good signs a message is a fraud;
  • And, never respond to an email requesting sensitive personal information (birthday, Social Security Number, username/password, etc.).

 

Additional information and a phishing game can be found on the FTC’s website, https://www.ftc.gov/.

 

Share this

STAY SAFE FROM PHISHING. 5 Ways to Stay Safe

Phishing attacks are getting more sophisticated.  Use this post to arm yourself with 5 tips to spot a fake email.

  1. Check the Sender
  • Make sure the organization name in the “From” field matches the address between the brackets. Watch out for addresses that contain typos in the organization name (think amaz0n.com).
  1. Check the salutation
  • If you do business with an organization, the first line of the email should always contain your name. Don’t trust impersonal introductions like “Dear Customer.”
  1. Use your mouse to hover over links
  • Hover over an email link to see the full URL it will direct you to. Do NOT click the link—just hover. If the address isn’t where you’d expect to go, don’t click it. Check all the links—if the URLs are all the same, it’s likely a phishing email.
  1. Examine the footer
  • The footer of any legitimate email should contain, at minimum:
    • A physical address for the brand or institution
    • An unsubscribe button
  • If either of these items are missing, it’s probably fake.
  1. If it’s doubtful don’t click on it.  Delete it.
  • If you don’t know the sender, or even if something seems off, delete the email. If it’s not fake, the sender will contact you another way or send the message again.
Share this